How to Add a New Host to an Existing SSL VPN Tunnel on Cisco ASA

ByAdrian

In this blog post, we will demonstrate how to add a new host to an existing SSL VPN tunnel on a Cisco ASA appliance. More specifically, we will cover the following topics:

Existing SSL VPN Tunnel

The first thing you will need to do is to verify that the SSL VPN tunnel is in fact already configured on your Cisco ASA appliance. To do this, login to the Cisco ASA interface with the username and password you used during the initial SSL VPN installation process. You will then need to navigate to Taps → SSL VPN → VPN Tunnels. In our example, the existing SSL VPN tunnel is named VPN_demo.

New Host

Next, you will need to establish the IP address of the new host you wish to add to the VPN tunnel. In most cases, this will be the IP address of a terminal device (i.e., a laptop or desktop computer).

Once you have the IP address of the new host, you can continue with the next step. You will need to ensure that the IP address of the new host is not already in use by any other devices or systems on your network. If it is, then you will either need to change the IP address of one of these devices or systems or find a different solution. For example, if you use DHCP then you can easily allocate a new IP address to the new host.

NAT Traversal

NAT (Network Address Translation) is a protocol defined by IETF RFC 3901 that allows a device on a private network to use public network addresses (IPv4/IPv6) when communicating with devices on a different private network. Since VPNs are a type of private network, it is possible that your existing VPN connection could be subject to NAT traversal attacks. In order to prevent these kinds of attacks, you will need to ensure that all of the IP addresses used within your SSL VPN tunnel are properly translated to allow communication with devices outside the firewall. In our example, we will use a tool named iprange for this purpose. To use this tool, you will need to install it on one of your devices (e.g., a computer). Once you have installed it, you can start by running the following command:

$ iprange list

Default routes:
   192.168.254.0/22 via 2001:470:8d:1f::2, dev eth0
   192.168.0.0/16 via fdb6:0000:0000:0000:0000:0000:0000:0001

You can then use the iprange command to create a range of IP addresses that will be able to communicate with the outside world through your VPN. In our example, we will use the following command:

$ iprange add 192.168.0.1-192.168.0.20 /range=VPN_demo

This will create a range of IP addresses from 192.168.0.1 to 192.168.0.20 and will assign them to the VPN_demo tunnel. Next, you will need to assign this new range of IP addresses to one of your interfaces on the Cisco ASA. In our example, we will use the following command:

$ interface VPN_demo
  ip address 192.168.0.1
  ip range 192.168.0.1-192.168.0.20

Cipher Suites

Cipher Suites are a group of security algorithms typically used within encryption processes. The stronger the encryption algorithm, the more secure the communication between two devices will be. In order to ensure that your existing SSL VPN tunnel is as secure as possible, you will need to make sure that all of the cipher suites are enabled within your SSL VPN configuration. In our example, we will use the default Cisco ASA SSL VPN configuration and enable only the following cipher suites:

AES – CBC- MD5

This is the most preferred cipher suite by security experts because it is considered one of the most secure encryption algorithms available. It is known as a block cipher because each byte or block of data is encrypted independently of one another. This makes it very versatile and customizable. For instance, you can use it to encrypt your entire hard drive or just specific files or folders within it. While CBC-MD5 is considered one of the strongest and most secure cipher suites available, it does come with a major drawback. Because it is a block cipher, it is considered to be extremely slow compared to other algorithms. If your main concern is speed, then you should consider using a different cipher suite. However, if you are more concerned about security, then this is the cipher suite you will want to use.

3DES – CBC- MD5

This is the second preferred cipher suite by security experts because it is considered faster than AES-CBC-MD5. However, like AES-CBC-MD5, it is also considered one of the most secure and versatile cipher suites. Like all cipher suites, it is a block cipher and operates on 32-bit blocks at a time. This makes it much faster than AES-CBC-MD5. In addition, it uses three keys instead of two as does AES-CBC-MD5. Like CBC-MD5, 3DES-CBC also uses the CBC mode of operation. This makes it very compatible with existing infrastructure and applications.

RC4

RC4 is a stream cipher. This algorithm is quite insecure and is considered to be obsolete by experts. However, it is still in use because it is extremely easy to use and implements within most standard libraries. It also has a strong comeback if you do run into trouble because it is one of the most popular algorithms used within online communities. Like all stream ciphers, RC4 operates on one key which is shared between all users. This makes it much more vulnerable to hacking than block or stream ciphers. Therefore, if you are using this algorithm, then you should consider increasing the length of the key.

IDEA – CBC- SHA

This is the third preferred cipher suite by security experts because it is a combination of both block and stream functionality. Like all CBC-based algorithms, IDEA uses the CBC mode of operation and the SHA (Secure Hash Algorithm) for hashing. The CBC mode of operation handles encryption with block ciphers while the SHA handles the integrity of the data. Therefore, this algorithm functions similarly to 3DES-CBC-MD5 but with additional benefits of speed and security.

DES – triple DES

This is the fourth preferred cipher suite by security experts because it is a combination of all of the above. Like CBC-SHA, DES can operate in either a block or a stream mode. However, unlike the latter, it can operate in three separate key sizes (64-, 112-, and 168-bit) making it quite customizable. You can also choose to use the smaller keys for speed or larger keys for added security. While it does offer some great benefits, implementing this algorithm is not without its complexities. If you are using this algorithm, then you will need to ensure that all devices within your network are configured to use the same cryptographic keys. In our case, we will be using Triple DES-CBC-SHA.

DH-DSS

This is the fifth preferred cipher suite by security experts because it is an improvement on the standard DH scheme. In the standard DH scheme, each device within a network agrees to use a common key pair for encryption. However, in the case of a DSS (Digital Signature Scheme), the two devices exchange public keys before engaging in any encrypted communication. This way, you can be sure that both parties are who they say they are before agreeing to any sensitive information. Implementing DSS is much more complex than implementing DH but it offers many advantages. If you are looking for an additional layer of security, then this is the algorithm you will want to use.

RSA

This is the last of the preferred cipher suites by security experts. However, it is also one of the most popular algorithms used for symmetric key algorithms. This is mainly because it is extremely easy to use and can be implemented within most standard libraries. In addition, many operating systems have built-in support for this algorithm. This makes it compatible with existing infrastructure and applications.

Similar Posts

NordVPN Unable to Browse When Off

ByAdrian

When you travel internationally, particularly to countries where internet access and privacy are restricted, it’s essential to ensure that your personal data is protected online. Otherwise, you may simply not be able to access the content and services you need when you’re there. In this article, we’ll discuss how to secure your personal data when…

How to Use NordVPN for Gaming?

ByAdrian

NordVPN is a well-known VPN provider that’s been around for many years. The service was originally designed for the US-based market, but has expanded to many other countries. You can use their services to unblock media content outside of America, as well as access region-locked content from countries like Japan and Germany. One of the…

How to Create a VPN to Get on Teamspeak

ByAdrian

Teamspeak is a popular voice chat and chat tool for gaming and mapping purposes. If you’ve ever used Skype, you can feel confused at first when you try to use Teamspeak because it’s so different. Once you get over the surprise, however, you’ll see that Teamspeak is actually a lot simpler than you’d think. In this blog post, we’ll help you understand how to use Teamspeak, what you need to do, and how to connect to the server faster than ever. What Is A VPN? A virtual private network, or VPN, is a technique used to connect several machines (laptops, mobile phones, etc.) together for security and privacy purposes. When you connect to a VPN, your computer’s browser will see an additional IP address which is associated with the VPN. This additional IP address will hide your true computer’s IP address for the rest of the networks you’re connected to. Thus, all of your packets (data that you send over the internet to be transmitted) will appear to be coming from a different IP address than the one associated with your normal computer connection.  Why Should You Create A VPN To Get On Teamspeak? Whether you use gaming or mapping software on your computer, or you just want to keep your identity private when you play online, you’ll need a VPN to get access to the resources you need. While it’s usually easy to sign up for a free VPN account, if you want to connect to Teamspeak, you’ll need a paid account. To get on Teamspeak, you’ll need to connect to a VPN server and register your computer with it.  If you want to use the internet for some browsing or downloading, you’ll also need a VPN to get around the filters that are often used by ISPs (internet service providers) to limit internet access for a specific group of people. For example, ISPs might block access to certain websites or file types because they think you’re a pedophile or they want to limit internet usage for adults because children are often the victims of child pornography.  How Do I Connect To A VPN To Get On Teamspeak? Once you’ve established the VPN, you can connect to it via the ‘Connect’ button in your browser. If you’re using Chrome, you’ll see a menu of VPN services with your default browser. You can also use your default search engine to find the right VPN for you. Once you’ve connected, you’ll be prompted to enter a username and password for your account.  Once I’m On Teamspeak, How Do I Use It? As the name suggests, Teamspeak is a team chat tool, which means that it’s easy to set up and accessible for groups who are meant to chat with one another. The main interface is similar to Skype with one distinguishing feature which makes it a lot easier to use: the ability to split the screen so that you can communicate with multiple people at once. When you open up Teamspeak, you’ll see a splash screen with a button which reads: ‘+’. Click this button to add a person to your team. A team is a group of people connected to a project with a common goal, usually committed to working together to achieve that goal. Your team can have up to four members. You can also add a button that will launch a ‘client’ application on your computer. This client will give you access to a virtual network interface, or VNI, which let’s you browse the web, communicate via email, and make audio calls to others connected to the VNI. This is a great tool to have if you enjoy hacking and tinkering with the settings on your computer but don’t want to log off to do it. You can download and install the client from the VNI’s website, but it’s better to use the client integrated with the VNI into your own browser so that you can access it whenever you want.  How Do I Leave Teamspeak? Leaving Teamspeak is just as easy as entering it. Remember: your VNI client is associated with a paid account of the VPN you connected to, so you will need to log off from Teamspeak when you connect to a VPN. However, if you click the ‘X’ button at the top right of the screen, you’ll immediately be prompted to log off from Teamspeak.  Is There Anything Else I Should Know About Using Teamspeak? Besides logging off from Teamspeak when you need to, there aren’t any other pitfalls I’ve found with the application. It’s a nice, simple vpn client that’s easy to use and gets the job done. If you want a quick and easy way to connect to a VPN, with or without Gaming or Mapping software on your computer, you can’t go wrong with Teamspeak.